Facebook 醜聞真係停不了,Business Insider 剛剛就披露 Facebook 原來自 2016 年開始,在沒有徵求用戶同意下,「非故意地」上載了 150 萬新註冊用戶的電郵通信錄資料到 Facebook 系統。
自 2016 年, Facebook 會要求部分使用指定電郵供應商的新註冊用戶(基本上是沒有採用 OAuth 機制來提供身分驗證服務的電郵供應商),以電郵帳戶來驗證。 Facebook 會要求用戶輸入電郵信箱的密碼,然後瀏覽器上就出現一個「 importing contacts (匯入通信錄) 」的窗口⋯⋯聽到這裡大家都會發覺有問題吧?沒錯,有位關注網絡安全的網友 e-sushi 就透過 Twitter 指出這做法問題。保安專家 Bennett Cyphers 更直指「這基本上跟網絡釣魚沒分別」。
事件被揭發後, Facebook 回應傳媒指事件是在上月停止採用電郵密碼驗證時發現的。他們指 2016 年提供電郵身分驗證的同時,推出了自願性上傳通信錄計劃。不過他們事後更改了功能,並在文字信息中向用戶指上傳的通信錄資料會被刪除,不過事實上就沒有那樣做。新註冊用戶在使用電郵密碼驗證時,會在沒有徵求用戶同意下,將用戶電郵通信錄也上傳到 Facebook 。
Facebook 指他們並非故意那樣做,並計劃在這幾天發電郵通知受影響約 150 萬用戶,及從該公司的系統裡刪除有關的電郵通信錄資料,又強調沒有將這些資料交給第三者。他們的聲明如下:
Last month we stopped offering email password verification as an option for people verifying their account when signing up for Facebook for the first time. When we looked into the steps people were going through to verify their accounts we found that in some cases people’s email contacts were also unintentionally uploaded to Facebook when they created their account. We estimate that up to 1.5 million people’s email contacts may have been uploaded. These contacts were not shared with anyone and we’re deleting them. We’ve fixed the underlying issue and are notifying people whose contacts were imported. People can also review and manage the contacts they share with Facebook in their settings.
大家應注意無論是任何著名平台,任何時候都不應該在一個平台上提供另一個平台的用戶密碼,那是釣魚網的常用手法。